This section describes the requirements that the RSA NetWitness services must meet.
Check that the following conditions are met:
virusname
This and other metafields (except for msg
) must have the IndexValues
level. Also, set the defaultAction
value of these metafields to Open
.
user.src
ip.src
action
msg
This metafield must have the IndexKeys
(the presence of the metafield in an event is indexed) or IndexNone
(the metafield is not indexed) level in the index-concentrator-custom.xml file. If you set the IndexValues
level for this metafield, the hard disk space will be consumed rapidly.
event.source
device.ip
ip.dst
url
checksum
If any of these fields are absent from the index file, add them there and restart the Concentrator, as described in section "RSA NetWitness troubleshooting".
If you do not have a Concentrator but you use a Log Decoder for storing data from Feed Service, change the index-logdecoder-custom.xml file and restart the Log Decoder as described above.
Update only the index file of a Concentrator (index-concentrator-custom.xml) if the Concentrator receives data from a Log Decoder. For more information, refer to https://community.rsa.com/docs/DOC-41760. Also, update the index file of a Log Decoder (index-logdecoder-custom.xml) if you use the Log Decoder as the source of data in which you search for events or if you use the Log Decoder to create reports or dashboards.
virusname
c_username
saddr
daddr
url
checksum
msg
event_source
hostip
action
The value of the flags
attribute must be None
for each of these metafields.
If any of these fields are absent from the index files, refer to section "RSA NetWitness troubleshooting".
Detection events sent by Feed Service contain the context from the feeds in separate fields. You can display and use these fields in RSA NetWitness. (In RSA NetWitness, the names of these fields will have the kl.
prefix.) For this purpose, use lines from the %service_dir%/integration/additional_elements/table-map-custom.xml
and %service_dir%/integration/additional_elements/index-concentrator-custom.xml
files.
<mapping envisionName="kl_detected_indicator" nwName="kl.detected" flags="None"/>
<mapping envisionName="kl_mask" nwName="kl.mask" flags="None"/>
<mapping envisionName="kl_ip" nwName="kl.ip" flags="None"/>
<mapping envisionName="kl_category" nwName="kl.category" flags="None"/>
<mapping envisionName="kl_first_seen" nwName="kl.first_seen" flags="None"/>
<mapping envisionName="kl_last_seen" nwName="kl.last_seen" flags="None"/>
<mapping envisionName="kl_popularity" nwName="kl.popularity" flags="None"/>
<mapping envisionName="kl_threat" nwName="kl.threat" flags="None"/>
<mapping envisionName="kl_industry" nwName="kl.industry" flags="None"/>
<mapping envisionName="kl_threat_score" nwName="kl.threat_score" flags="None"/>
<mapping envisionName="kl_file_size" nwName="kl.file_size" flags="None"/>
<mapping envisionName="kl_file_type" nwName="kl.file_type" flags="None"/>
<mapping envisionName="kl_behaviour" nwName="kl.behaviour" flags="None"/>
<mapping envisionName="kl_verdict" nwName="kl.verdict" flags="None"/>
<mapping envisionName="kl_pub_name" nwName="kl.pub_name" flags="None"/>
<mapping envisionName="kl_detection_date" nwName="kl.detect_date" flags="None"/>
<mapping envisionName="kl_md5" nwName="kl.md5" flags="None"/>
<mapping envisionName="kl_sha1" nwName="kl.sha1" flags="None"/>
<mapping envisionName="kl_sha2" nwName="kl.sha2" flags="None"/>
<mapping envisionName="kl_confidence" nwName="kl.confidence" flags="None"/>
<key description="kl_detected_indicator" format="Text" level="IndexKeys" name="kl.detected" defaultAction="Open"/>
<key description="kl_mask" format="Text" level="IndexKeys" name="kl.mask" defaultAction="Open"/>
<key description="kl_ip" format="IPv4" level="IndexKeys" name="kl.ip" defaultAction="Open"/>
<key description="kl_category" format="Text" level="IndexKeys" name="kl.category" defaultAction="Open"/>
<key description="kl_first_seen" format="Text" level="IndexKeys" name="kl.first_seen" defaultAction="Open"/>
<key description="kl_last_seen" format="Text" level="IndexKeys" name="kl.last_seen" defaultAction="Open"/>
<key description="kl_popularity" format="UInt8" level="IndexKeys" name="kl.popularity" defaultAction="Open"/>
<key description="kl_threat" format="Text" level="IndexKeys" name="kl.threat" defaultAction="Open"/>
<key description="kl_industry" format="Text" level="IndexKeys" name="kl.industry" defaultAction="Open"/>
<key description="kl_threat_score" format="UInt8" level="IndexKeys" name="kl.threat_score" defaultAction="Open"/>
<key description="kl_file_size" format="UInt16" level="IndexKeys" name="kl.file_size" defaultAction="Open"/>
<key description="kl_file_type" format="Text" level="IndexKeys" name="kl.file_type" defaultAction="Open"/>
<key description="kl_behaviour" format="Text" level="IndexKeys" name="kl.behaviour" defaultAction="Open"/>
<key description="kl_verdict" format="Text" level="IndexKeys" name="kl.verdict" defaultAction="Open"/>
<key description="kl_pub_name" format="Text" level="IndexKeys" name="kl.pub_name" defaultAction="Open"/>
<key description="kl_detection_date" format="Text" level="IndexKeys" name="kl.detect_date" defaultAction="Open"/>
<key description="kl_md5" format="Text" level="IndexKeys" name="kl.md5" defaultAction="Open"/>
<key description="kl_sha1" format="Text" level="IndexKeys" name="kl.sha1" defaultAction="Open"/>
<key description="kl_sha2" format="Text" level="IndexKeys" name="kl.sha2" defaultAction="Open"/>
<key description="kl_confidence" format="Text" level="IndexKeys" name="kl.confidence" defaultAction="Open"/>
You can specify all the settings described above by using the RSA NetWitness web user interface in the Services (Log Decoder and Concentrator) > Config view.
Restart the log decoder and Concentrator after you have edited the table-map-custom.xml and index-concentrator-custom.xml files.
Page top